- NetBSD Manual Pages
PAM_SSH(8) NetBSD System Manager's Manual PAM_SSH(8)
Powered by man-cgi (2021-06-01).
Maintained for NetBSD
by Kimmo Suominen.
Based on man-cgi by Panagiotis Christias.
pam_ssh -- authentication and session management with SSH private keys
[service-name] module-type control-flag pam_ssh [options]
The SSH authentication service module for PAM provides functionality for
two PAM categories: authentication and session management. In terms of
the module-type parameter, they are the ``auth'' and ``session'' fea-
SSH Authentication Module
The SSH authentication component provides a function to verify the iden-
tity of a user (pam_sm_authenticate()), by prompting the user for a
passphrase and verifying that it can decrypt the target user's SSH key
using that passphrase.
The following options may be passed to the authentication module:
use_first_pass If the authentication module is not the first in the
stack, and a previous module obtained the user's pass-
word, that password is used to authenticate the user. If
this fails, the authentication module returns failure
without prompting the user for a password. This option
has no effect if the authentication module is the first
in the stack, or if no previous modules obtained the
try_first_pass This option is similar to the use_first_pass option,
except that if the previously obtained password fails,
the user is prompted for another password.
nullok Normally, keys with no passphrase are ignored for authen-
tication purposes. If this option is set, keys with no
passphrase will be taken into consideration, allowing the
user to log in with a blank password.
SSH Session Management Module
The SSH session management component provides functions to initiate
(pam_sm_open_session()) and terminate (pam_sm_close_session()) sessions.
The pam_sm_open_session() function starts an SSH agent, passing it any
private keys it decrypted during the authentication phase, and sets the
environment variables the agent specifies. The pam_sm_close_session()
function kills the previously started SSH agent by sending it a SIGTERM.
The following options may be passed to the session management module:
want_agent Start an agent even if no keys were decrypted during the
$HOME/.ssh/identity SSH1 RSA key
$HOME/.ssh/id_rsa SSH2 RSA key
$HOME/.ssh/id_dsa SSH2 DSA key
$HOME/.ssh/id_ecdsa SSH2 ECDSA key
ssh-agent(1), pam.conf(5), pam(8)
The pam_ssh module was originally written by Andrew J. Korty
<firstname.lastname@example.org>. The current implementation was developed for the FreeBSD
Project by ThinkSec AS and NAI Labs, the Security Research Division of
Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
(``CBOSS''), as part of the DARPA CHATS research program. This manual
page was written by Mark R V Murray <markm@FreeBSD.org>.
The pam_ssh module implements what is fundamentally a password authenti-
cation scheme. Care should be taken to only use this module over a
secure session (secure TTY, encrypted session, etc.), otherwise the
user's SSH passphrase could be compromised.
Additional consideration should be given to the use of pam_ssh. Users
often assume that file permissions are sufficient to protect their SSH
keys, and thus use weak or no passphrases. Since the system administra-
tor has no effective means of enforcing SSH passphrase quality, this has
the potential to expose the system to security risks.
NetBSD 9.3 December 16, 2011 NetBSD 9.3